topic Re: Bypassing IPS Protections - MySQL in Firewall and Security Management

Bypassing IPS Protections - MySQL

Michael_Horne — Mon, 05 Nov 2018 21:37:56 GMT

Hello,

I am a bit of the Threat Protection / IPS newbie. I have done a bit of a search for this issue, but I do not find something matching

There is a service definition for MySQL that matches TCP port 3306. We have an SAP application that is also using TCP port 3306, but not for MySQL. This was triggering an IPS event that was in "prevent" and was blocking the traffic:

Note: I have managed to enter a global exception for the destination server so that the action is only "detect".

I would like to have no MySQL traffic to be able to use TCP port 3306 without triggering this protection. I cannot directly create an exception like I have for other IPS protection based on source and destination etc. I get the following:

The protection details in the log do not provide any helpful information about what is actually being triggered:

The only IPS protection that I find that seems to match is "General Settings"

When I look at the details of this protection, the only thing I can do is to change the port associated with MySQL:

I could change port associated with MySQL for the IPS, but I do not want to do this for three reason:

I might want the IPS to detect SQL traffic when it is suing the default port.
Changing the port, will just move the same problem to a different port, that might eventually block another application.
This doesn't seem like the "best practices" solution to the problem.

It appears to me that the IPS is assuming the traffic is MySQL based on the TCP port and the applying a protocol analysis / validation based on this.

For this application I have a known / single source and a known / single destination and ideally I would like to disable this protection for this particular source / destination pair.

The only IPS protection that might match this is call "non compliant MySQL".

I do no know if adding a protection for this will help or not. If this was the IPS protection was involved. I would have expected the original log message would have mentioned this in the protection details.

At the moment I have added an exception for the destination server as the "protected Scope" that has an action of "Detect", but as I cannot match the protection "My SQL - General Settings", I have had to set "Detect" for all IPS detections for the destination host.

Re: Bypassing IPS Protections - MySQL

Vladimir — Mon, 05 Nov 2018 23:22:09 GMT

You can try narrowing the exception down by:

And being a lot more specific with source, destination and service port.

Re: Bypassing IPS Protections - MySQL

G_W_Albrecht — Tue, 06 Nov 2018 08:36:02 GMT

This is hard if you have MySQL Servers on your site that need to be accessed thru the GW. Otherwise, you can deactivate the protection completely...

Re: Bypassing IPS Protections - MySQL

PhoneBoy — Tue, 06 Nov 2018 21:06:29 GMT

Why don't you use a different profile for that server that doesn't include the appropriate signature?

In other words, create another rule just for the affected server? (Put it in the Protected Scope)

Re: Bypassing IPS Protections - MySQL

Michael_Horne — Thu, 08 Nov 2018 09:01:08 GMT

Hi,

Thanks for the reminder, I keep forgetting about the columns that are hidden by default. I can narrow down my exception for the host based on the service.

Many thanks,

Michael

Re: Bypassing IPS Protections - MySQL

Michael_Horne — Thu, 08 Nov 2018 09:06:01 GMT

Hi,

One of the reasons for deploying the Security gateways is for network segregation and also for traffic visibility. At the moment they are not fully aware of all the traffic flowing on the LAN environment. If we discover that there is no MYSQL we can do this. The risk being that later someone deploys a MySQL server without notifying anyone.

Many thanks,

Michael

Re: Bypassing IPS Protections - MySQL

Michael_Horne — Thu, 08 Nov 2018 09:10:44 GMT

Hi,

This would work, but it my opinion that this is "slippery slope" that I do not want to start walking one. Once we have a dedicated profile for one server we might easily start adding customized profiles for other servers. then I am drowning in profiles.

A customized profile just for the server was one option that I did not think about. So thanks for mentioning. Options are always good when looking for a solution!

Many thanks,

Michael

Re: Bypassing IPS Protections - MySQL

Mike_Jensen — Tue, 06 Jul 2021 20:40:52 GMT

I am having the same issue with one server. Are we sure that the protection preventing traffic is the "Non compliant MySQL" one? I also see the Threat Cloud "MySQL - General Settings" protection and the only thing I can change is the port number like you mentioned, I don't seem to have an option to set it to detect, inactive, etc.